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DETAILED ACTION 

1. Claims 1-21 have been examined. 

Claim Rejections - 35 USC § 112 

2. The following is a quotation of the second paragraph of 35 U.S.C. 1 12: 

The specification shall conclude with one or more claims particularly pointing out and distinctly 
claiming the subject matter which the applicant regards as his invention. 

3. Claim 10 is rejected under 35 U.S.C. 1 12, second paragraph, as being indefinite 
for failing to particularly point out and distinctly claim the subject matter which applicant 
regards as the invention. Claim 10 recites the limitations "the hardened network" in line 
2 and "the log" in line 3. There is insufficient antecedent basis for these limitations in 
the claim. The limitation "the hardened network" is interpreted as "the redundant 
network" (claim 1, line 4); the limitation "the log" is interpreted as "a log". 

Claim Rejections - 35 USC § 103 

4. The following is a quotation of 35 U.S.C. 103(a) which forms the basis for all 
obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set 
forth in section 102 of this title, if the differences between the subject matter sought to be patented and 
the prior art are such that the subject matter as a whole would have been obvious at the time the 
invention was made to a person having ordinary skill in the art to which said subject matter pertains. 
Patentability shall not be negatived by the manner in which the invention was made. 

5. Claims 1-13, 15, 17-19 and 21 are rejected under 35 U.S.C. 103(a) as being 
unpatentable over Mansfield ("Towards Trapping Wily Intruders in the Large") in view of 
Katz et al (4,575,842). 
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a. Regarding claims 1-3, 1 1 and 21 , Mansfield discloses a method for a data 
collector to collect data from sampled network traffic comprising: 

sampling network packets and generating statistical information about the 
network flow (Section 3, Detection of Intrusions from traffic-flow signatures; Section 5, 
Implementations and Results); 

parsing the information in the sampled packets and maintaining the information in 
a log (Section 3, Detection of Intrusions from traffic-flow signatures); and 

communicating the generated statistics over a network to a central control center 
(Section 5, Implementations and Results; Section 3.1 , Traffic-flow signature). 

Mansfield does not disclose utilizing a hardened, redundant network. Katz 
discloses utilizing a hardened, redundant network (col. 3, lines 45-51). It would have 
been obvious to one of ordinary skill in the art at the time the invention was made to 
modify the Mansfield method to utilize a hardened, redundant network, as taught by 
Katz, in order to improve the survivability of a network. 

b. Regarding claim 4, Mansfield does not disclose that the network is a telephone 
network. Katz discloses a telephone network (col. 8, lines 1 6-25). It would have been 
obvious to one of ordinary skill in the art at the time the invention was made to modify 
the Mansfield method such that the network is a telephone network, as taught by Katz. 
Please refer to motivation recited for using a hardened, redundant network as taught by 
Katz in claims 3. 
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c. Regarding claim 5, Mansfield further discloses that the information collected by 
the data collector includes source information and destination information (Table 1; 
Section 3, Detection of Intrusions from traffic-flow signatures). 

d. Regarding claim 6, Mansfield further discloses that the data collector collects the 
information but does not log the sampled packets (Section 3.1 , Traffic-flow signature). 

e. Regarding claim 7, Mansfield further discloses that the data collector analyzes 
the collected statistics and may, if necessary, compose a message that raises an alarm 
to the control center (Section 5, Implementations and Results). 

f. Regarding claim 8, Mansfield further discloses that the data collector includes a 
communication process to respond to queries concerning characteristics of traffic on the 
network (Section 5, Implementations and Results). 

g. Regarding claim 9, Mansfield further discloses that the queries originate from the 
control center and are for information pertaining to statistics collected by the data 
collector (Section 5, Implementations and Results). 

h. Regarding claim 10, Mansfield further discloses that the query can be a request 
to download via the redundant network, a portion of a log of the collected information 
(Section 5, Implementations and Results). 

i. Regarding claim 12, Mansfield further discloses monitoring packet count, which 
is a parameter of traffic flow, at two levels of granularity (p. 5, 1 st par., "The initial 
threshold will need ... ball rolling"; Section 3.2, Definition of traffic-flow signature). 
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j. Regarding claim 13, Mansfield further discloses that monitoring the parameter at 
multiple levels of granularity is used to trace the source of an attack (Section 5, 
Implementations and Results). 

k. Regarding claim 15, Mansfield further discloses applying multi-level analysis 

monitor TCP packet ratios, repressor traffic and statistics based Layer 3-7 analysis 

(Section 3.3, Correlating traffic-flow signatures; Section 4, Map-based distributed 

Intrusion tracing; Table 1 ; Section 2, Characteristics of Network Intrusions). 

I. Regarding claim 1 7, Mansfield further discloses monitoring network traffic for 

ICMP packets with broadcast destination addresses (Section 3.4, Experimental 

evaluation). 

m. Regarding claim 1 8, Mansfield further discloses monitoring network traffic 
protocol (TCP) or user datagram protocol (UDP) packets addressed to unused ports 
(Table 1). 

n. Regarding claim 19, Mansfield further discloses monitoring network traffic for 
transmission control protocol (TCP) ACK packets that do not belong to a known 
connection (Section 4, Map-based distributed Intrusion tracing). 

6. Claim 14 is rejected under 35 U.S.C. 103(a) as being unpatentable over 
Mansfield in view of Katz as applied to claim 13 above, and further in view of Zait et al 
(6,665,684). 

Mansfield discloses dividing the traffic flow and using memory spaces to track 
counts of how many packets a data collector examines for a given parameter (p. 5, 1 st 



Application/Control Number: 09/931 ,558 Page 6 

Art Unit: 2132 

par., "The initial threshold will need ... ball rolling"). The memory spaces meet the 
limitation of buckets. 

Mansfield and Katz do not disclose adjusting the number of buckets as the 
number of buckets approaches a bucket threshold, by combining several buckets into 
fewer buckets or dividing a bucket into more buckets. Zait discloses adjusting the 
number of buckets as the number of buckets approaches a threshold, by dividing a 
bucket into more buckets (col. 10, lines 25-32). Mansfield and Zait are analogous art 
because they are from a similar problem solving area, efficient storing and searching for 
data. It would have been obvious to one of ordinary skill in the art at the time the 
invention was made to modify the combined method of Mansfield and Katz further to 
adjust the number of buckets as the number of buckets approaches a threshold, by 
dividing a bucket into more buckets, as taught by Zait, so that the granularity level 
matches a degree of parallelism when the degree of parallelism exceeds a threshold. 

7. Claim 16 is rejected under 35 U.S.C. 103(a) as being unpatentable over 
Mansfield in view of Katz as applied to claim 15 above, and further in view of Roesch 
("Snort-Lightweight Intru^cffi Detection for Networks). Mansfield and Katz do not 
disclose monitoring network traffic for fragmented IP packets. Roesch discloses 

v f 

monitoring network traffic for fragmented IP packets (p. 230, right col., "Snort currently 
addresses IP fragmentation ... sent by Snort automatically"). It would have been 
obvious to one of ordinary skill in the art at the time the invention was made to modify 
the combined method of Mansfield and Katz to monitor network traffic for fragmented IP 
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packets, as taught by Roesch, so that fragmented packet probes and attacks could be 
logged and alerts could be generated. 

8. Claim 20 is rejected under 35 U.S.C. 103(a) as being unpatentable over 
Mansfield in view of Katz as applied to claim 15 above, and further in view of Eichstaedt 
et al (6,662,230). Mansfield and Katz do not disclose monitoring network traffic 
generated not by a human user over a persistent HTTP connection. Eichstaedt 
discloses monitoring network traffic generated not by a human user over a persistent 
HTTP connection (col. 1 , lines 49-63; col. 6, lines 20-33). It would have been obvious to 
one of ordinary skill in the art at the time the invention was made to modify the 
combined method of Mansfield and Katz to monitor network traffic generated not by a 
human user over a persistent HTTP connection, as taught by Eichstaedt, in order to 
prevent overcrawling by robots that make too frequent requests. 

9. Claims 1-13 and 21 are rejected under 35 U.S.C. 103(a) as being unpatentable 
over Stallings ("Cryptography And Network Security: Principles and Practice") in view of 
Katz et al (4,575,842). 

a. Regarding claims 1-3, 1 1 and 21 , Stallings disclose a method for a data collector 
to collect data from sampled network traffic comprising: 

sampling network packets and generating statistical information about the 
network flow (p. 499, "One or more node ... could be valuable"; figures 15.5 and 15.6); 
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parsing the information in the sampled packets and maintaining the information in 
a log (p. 499, "The scheme is designed ... host audit record (HAR) M ); and 

communicating the generated statistics over a network to a central control center 
(fig. 15.6). 

Stallings does not disclose utilizing a hardened, redundant network. Katz 
discloses utilizing a hardened, redundant network (col. 3, lines 45-51). It would have 
been obvious to one of ordinary skill in the art at the time the invention was made to 
modify the Stallings method to utilize a hardened, redundant network, as taught by Katz, 
in order to improve the survivability of a network. 

b. Regarding claim 4, Stallings does not disclose that the network is a telephone 
network. Katz discloses a telephone network (col. 8, lines 16-25). It would have been 
obvious to one of ordinary skill in the art at the time the invention was made to modify 
the Stallings method such that the network is a telephone network, as taught by Katz. 
Please refer to motivation recited for using a hardened, redundant network as taught by 
Katz in claims 3. 

c. Regarding claim 5, Stallings further discloses that the information collected by 
the data collector includes source information and destination information (p. 500, "The 
LAN monitor agent ... such as rlogin"). 

d. Regarding claim 6, Stallings further discloses that the data collector collects the 
information but does not log the sampled packets (p. 500, "The LAN monitor agent ... 
such as rlogin"). 
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e. Regarding claim 7, Stallings further discloses that the data collector analyzes the 
collected statistics and may, if necessary, compose a message that raises an alarm to 
the control center (p. 500, "When suspicious activity is detected ... from other agents"). 

f. Regarding claim 8, Stallings further discloses that the data collector includes a 
communication process to respond to queries concerning characteristics of traffic on the 
network (p. 500, "When suspicious activity is detected ... from other agents"; fig. 15.6). 

g. Regarding claim 9, Stallings further discloses that the queries originate from the 
control center and are for information pertaining to statistics collected by the data 
collector (p. 500, "When suspicious activity is detected ... from other agents"; fig. 15.6). 

h. Regarding claim 10, Stallings further discloses that the query can be a request to 
download via the redundant network, a portion of a log of the collected information (p. 
499, "One or more nodes ... information could be valuable"; fig. 15.6). 

i. Regarding claim 12, Stallings further discloses monitoring a parameter of traffic 
flow at different levels of granularity (p. 495, "The simplest statistical test ... and 
resource measures"). 

j. Regarding claim 1 3, Stallings further discloses that monitoring the parameter at 
multiple levels of granularity is used to trace the source of an attack (p. 500, "At the 
lowest level ... file accessed, and the like"). 
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Conclusion 

10. The prior art made of record and not relied upon is considered pertinent to 
applicant's disclosure. 

Hill et al (6,088,804) discloses a system and method for responding to computer 
network security attacks. 

Gleichauf et al (6,499,107) discloses a system and method for adaptive network 
security using intelligent packet analysis. 

Ohta et al, "Detection, Defense, and Tracking of Internet-Wide Illegal Access in a 
Distributed Manner". 

Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to Minh Dinh whose telephone number is 571-272-3802. 
The examiner can normally be reached on Mon - Fri: 9:00 am - 5:30 pm. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Gilberto Barron can be reached on 571-272-3799. The fax phone number 
for the organization where this application or proceeding is assigned is 703-872-9306. 
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Information regarding the status of an application may be obtained from the 
Patent Application Information Retrieval (PAIR) system. Status information for 
published applications may be obtained from either Private PAIR or Public PAIR. 
Status information for unpublished applications is available through Private PAIR only. 
For more information about the PAIR system, see http://pair-direct.uspto.gov. Should 
you have questions on access to the Private PAIR system, contact the Electronic 
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